[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] old (but unfixed in our clones) qemu security issues?
From: |
Jan Beulich |
Subject: |
Re: [Qemu-devel] old (but unfixed in our clones) qemu security issues? |
Date: |
Mon, 02 Mar 2015 14:40:39 +0000 |
>>> On 02.03.15 at 15:18, <address@hidden> wrote:
> On Mon, 2 Mar 2015, Jan Beulich wrote:
>> >>> On 02.03.15 at 15:05, <address@hidden> wrote:
>> > I guess I could monitor cve.mitre.org or the QEMU stable tree for
>> > commits with "CVE" in the commit message, but there isn't much else I
>> > can do.
>>
>> Yes, I think the latter is (for the time being) the most promising route.
>> Question is how much work it is going to be to find out about past
>> ones.
>
> I could look at the matching QEMU stable tree for each of our past
> qemu-xen-upstream releases.
>
> Unfortunately it is going to be an error prone process as QEMU stable
> trees have shorter maintenance cycles compared to Xen Project. I am
> unlikely to find recent CVEs backported to 1.6.x, that is the base for
> qemu-xen in Xen 4.4.
Yeah, I think you'll need to look at all stable trees at least, and accept
that some of the fixes may require extra backporting work.
Jan